Skip to content

IP Access Rules — Allow and Block by IP

DodaTech 4 min read

Cloudflare IP Access Rules let you allow or block traffic based on source IP address, CIDR range, or country code — a first line of defense against malicious traffic before it reaches your origin.

What You Will Learn

You will learn how IP Access Rules fit into Cloudflare's security model, how to configure them through the dashboard and API, and how to combine them with other WAF features for layered protection.

Why It Matters

IP-based filtering stops known bad actors at the network edge before they consume origin resources or trigger application-level rules. Blocking entire countries or known attacker IPs reduces attack surface without complex rule logic.

Real-World Use Case

A SaaS dashboard receives repeated login attempts from a specific IP range in a high-risk region. An IP Access Rule blocks that range at Cloudflare's edge, reducing failed auth events by 90% and saving origin compute.

How IP Access Rules Work

IP Access Rules evaluate the source IP of every request before it reaches any Cloudflare WAF custom rule. If the IP matches a block rule, Cloudflare returns a 403 immediately without passing the request to the origin.

flowchart LR
  A[Visitor IP] --> B{IP Access Rule?}
  B -->|Allow| C[Pass to WAF]
  B -->|Block| D[403 Forbidden]
  B -->|Skip| C
  C --> E[Origin Server]

Configuration Options

Three actions are available for IP Access Rules:

Action Behaviour
Allow Whitelists the IP — overrides other blocking rules
Block Returns 403 for matching requests
Skip Passes request without evaluating other access rules

Rules can target individual IPs, CIDR ranges (e.g. 203.0.113.0/24), or entire countries using two-letter ISO codes.

Step-by-Step: Dashboard Configuration

  1. Log in to the Cloudflare Dashboard and select your domain.
  2. Navigate to Security > WAF > Tools.
  3. Under IP Access Rules, enter the IP or CIDR range.
  4. Select Block or Allow from the action dropdown.
  5. Choose whether the rule applies to the dashboard API, your site, or both.
  6. Click Add to activate the rule immediately.

API Configuration Example

Use the Cloudflare API to manage IP Access Rules programmatically:

curl -X POST "https://api.cloudflare.com/client/v4/zones/ZONE_ID/firewall/access_rules/rules" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{
    "mode": "block",
    "configuration": {
      "target": "ip",
      "value": "198.51.100.0/24"
    },
    "notes": "Block known scanner range"
  }'

Expected output:

{
  "result": {
    "id": "rule_id_here",
    "mode": "block",
    "notes": "Block known scanner range"
  },
  "success": true
}

Python Script for Bulk Blocking

When you have hundreds of IPs to block, use the API with a script:

import os
import requests

ZONE_ID = os.environ["CLOUDFLARE_ZONE_ID"]
TOKEN = os.environ["CLOUDFLARE_API_TOKEN"]
URL = f"https://api.cloudflare.com/client/v4/zones/{ZONE_ID}/firewall/access_rules/rules"

block_ips = ["203.0.113.1", "203.0.113.2", "203.0.113.3"]

for ip in block_ips:
    payload = {
        "mode": "block",
        "configuration": {"target": "ip", "value": ip},
        "notes": "Bulk block from threat feed"
    }
    resp = requests.post(URL, json=payload, headers={
        "Authorization": f"Bearer {TOKEN}",
        "Content-Type": "application/json"
    })
    print(f"{ip}: {resp.status_code} - {resp.json()['success']}")

Expected output:

203.0.113.1: 200 - True
203.0.113.2: 200 - True
203.0.113.3: 200 - True

Country Blocking via API

Block an entire country by passing its ISO code:

curl -X POST "https://api.cloudflare.com/client/v4/zones/ZONE_ID/firewall/access_rules/rules" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{
    "mode": "block",
    "configuration": {
      "target": "country",
      "value": "RU"
    },
    "notes": "Block traffic from Russia"
  }'

Expected output:

{
  "result": { "mode": "block", "configuration": { "target": "country", "value": "RU" } },
  "success": true
}

Common Mistakes

Mistake Consequence
Blocking your own IP Locks you out of the dashboard
Using allow rules without other controls Malicious IPs bypass all WAF checks
CIDR too broad (e.g. /8) Blocks legitimate users across entire ISP
Not adding notes Impossible to audit rules later
Confusing Skip and Allow Skip still logs; Allow suppresses all checks

Practice Questions

  1. What is the difference between Allow and Skip in IP Access Rules?
  2. How do you block an entire country using the Cloudflare API?
  3. Why should you avoid creating overly broad CIDR block rules?

Challenge

Write a script that fetches a public threat feed (e.g. from AlienVault OTX), extracts IPs, and creates IP Access Rules for any that are not already blocked in your zone.

Real-World Task

Your e-commerce site is being targeted by a scraper operating from a /24 range. Create a set of IP Access Rules that blocks the range but allows individual IPs that pass a captcha challenge. Document the rule ordering you would use.

FAQ

Can IP Access Rules block IPv6 addresses?

Yes. Cloudflare IP Access Rules support both IPv4 and IPv6 addresses. Enter the IPv6 address in standard notation (e.g. 2001:db8::/32) and the rule applies the same as IPv4.

What is the maximum number of IP Access Rules I can create?

The limit depends on your Cloudflare plan. Free plans allow up to 10 rules. Pro plans allow 50, Business plans 100, and Enterprise plans have custom limits. Use API-based management or WAF custom rules for larger sets.

Do IP Access Rules affect API traffic too?

By default, rules apply to both web and API traffic. When creating a rule you can choose whether it applies to the dashboard, API, or all traffic. Use the appropriate selection to avoid accidentally blocking your own API clients.


Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro — security-first tools for the modern web.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro